Butlin’s admits 34,000 guest records stolen in hack

The holiday camp chain says the stolen data does not include payment details – but customers’ names, holiday dates, postal and email addresses and telephone numbers are believed to have been accessed.

A spokesperson confirmed to Sky News that the compromise had taken place over the past 72 hours, and was caused by a phishing email which posed as the local Chamber of Commerce.

Under the EU’s new General Data Protection Regulation (GDPR), British companies must notify the Information Commissioner’s Office of any data breaches within 72 hours or face a fine.

The company said its own investigations “have not found any fraudulent activity related to this event”.

It added: “Guests who may have been affected are being contacted directly by Butlin’s to let them know what’s happened, what they should do and what is being done to resolve the situation.”

Individuals who believe they may have been affected should be cautious not to give out any additional details when contacted by individuals who say they are from Butlin’s, as this is a common activity by fraudsters following data breaches.

The chain says it has reported the incident to the ICO, and a spokesperson for the data protection regulator told Sky News: “Butlin’s has made us aware of an incident and we will be making enquiries.”

In 2016, the ICO fined TalkTalk a record £400,000 for its security failings after the personal details of 156,959 customers were accessed, including their names, addresses, dates of birth, phone numbers and email addresses.

Butlin’s managing director Dermot King said: “Butlin’s take the security of our guest data very seriously and have improved a number of our security processes.

“I would like to apologise for any upset or inconvenience this incident might cause.

“A dedicated team has been set up to contact all guests who may be affected directly. I would like to personally reassure guests that no financial data has been compromised.”